From bf39b7c9525eb9e6de6a2670c868e5b9666a898d Mon Sep 17 00:00:00 2001
From: Sandra <sandra.romanchenko@percona.com>
Date: Tue, 11 Feb 2025 00:23:48 +0200
Subject: [PATCH 1/2] PSMDB. Add kerberos to setup and test to check PMM GSSAPI
 support

---
 pmm_psmdb-pbm_setup/Dockerfile                |  1 +
 pmm_psmdb-pbm_setup/conf/krb/krb5.conf        | 16 ++++++++++
 pmm_psmdb-pbm_setup/conf/sysconfig/mongod     |  1 +
 pmm_psmdb_diffauth_setup/Dockerfile-kerberos  |  5 ++++
 .../conf/configure_krb5.sh                    | 29 +++++++++++++++++++
 pmm_psmdb_diffauth_setup/conf/mongod.conf     |  4 +--
 .../docker-compose-pmm-psmdb.yml              | 23 +++++++++++++++
 pmm_psmdb_diffauth_setup/test/test.py         | 18 ++++++++++++
 8 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 pmm_psmdb-pbm_setup/conf/krb/krb5.conf
 create mode 100644 pmm_psmdb_diffauth_setup/Dockerfile-kerberos
 create mode 100755 pmm_psmdb_diffauth_setup/conf/configure_krb5.sh

diff --git a/pmm_psmdb-pbm_setup/Dockerfile b/pmm_psmdb-pbm_setup/Dockerfile
index dc28ff6..9edf594 100644
--- a/pmm_psmdb-pbm_setup/Dockerfile
+++ b/pmm_psmdb-pbm_setup/Dockerfile
@@ -81,6 +81,7 @@ RUN if [[ "$PMM_CLIENT_VERSION" == http* ]]; then \
 
 COPY conf/sysconfig/mongod /etc/sysconfig/
 COPY keyfile /etc/keyfile
+COPY conf/krb/krb5.conf /etc/krb5.conf
 RUN ln -s /usr/bin/mongosh /usr/bin/mongo || true
 RUN chown mongod /etc/keyfile && chmod 400 /etc/keyfile
 EXPOSE 27017
diff --git a/pmm_psmdb-pbm_setup/conf/krb/krb5.conf b/pmm_psmdb-pbm_setup/conf/krb/krb5.conf
new file mode 100644
index 0000000..527d607
--- /dev/null
+++ b/pmm_psmdb-pbm_setup/conf/krb/krb5.conf
@@ -0,0 +1,16 @@
+[libdefaults]
+    default_realm = PERCONATEST.COM
+    forwardable = true
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+    ignore_acceptor_hostname = true
+    rdns = false
+[realms]
+    PERCONATEST.COM = {
+        kdc_ports = 88
+        kdc = kerberos
+    }
+[domain_realm]
+    .perconatest.com = PERCONATEST.COM
+    perconatest.com = PERCONATEST.COM
+    kerberos = PERCONATEST.COM
diff --git a/pmm_psmdb-pbm_setup/conf/sysconfig/mongod b/pmm_psmdb-pbm_setup/conf/sysconfig/mongod
index 5040e7c..263bb7d 100644
--- a/pmm_psmdb-pbm_setup/conf/sysconfig/mongod
+++ b/pmm_psmdb-pbm_setup/conf/sysconfig/mongod
@@ -1,3 +1,4 @@
 OPTIONS="-f /etc/mongod/mongod.conf"
 STDOUT="/var/log/mongo/mongod.stdout"
 STDERR="/var/log/mongo/mongod.stderr"
+KRB5_KTNAME=/keytabs/mongodb.keytab
diff --git a/pmm_psmdb_diffauth_setup/Dockerfile-kerberos b/pmm_psmdb_diffauth_setup/Dockerfile-kerberos
new file mode 100644
index 0000000..97e412b
--- /dev/null
+++ b/pmm_psmdb_diffauth_setup/Dockerfile-kerberos
@@ -0,0 +1,5 @@
+FROM alpine
+RUN apk add --no-cache bash krb5 krb5-server krb5-pkinit
+COPY conf/configure_krb5.sh /var/lib/krb5kdc/
+EXPOSE 88/udp
+ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"]
diff --git a/pmm_psmdb_diffauth_setup/conf/configure_krb5.sh b/pmm_psmdb_diffauth_setup/conf/configure_krb5.sh
new file mode 100755
index 0000000..a46c192
--- /dev/null
+++ b/pmm_psmdb_diffauth_setup/conf/configure_krb5.sh
@@ -0,0 +1,29 @@
+#! /env/sh
+
+cat > /etc/krb5.conf << EOL
+[libdefaults]
+    default_realm = PERCONATEST.COM
+    forwardable = true
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+    ignore_acceptor_hostname = true
+    rdns = false
+[realms]
+    PERCONATEST.COM = {
+        kdc_ports = 88
+        kdc = kerberos
+        admin_server = kerberos
+    }
+[domain_realm]
+    .perconatest.com = PERCONATEST.COM
+    perconatest.com = PERCONATEST.COM
+    kerberos = PERCONATEST.COM
+EOL
+
+kdb5_util -P password create -s
+kadmin.local -q "addprinc -pw password root/admin"
+kadmin.local -q "addprinc -pw mongodb mongodb/psmdb-server"
+kadmin.local -q "addprinc -pw password1 pmm-test"
+kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/psmdb-server@PERCONATEST.COM"
+
+krb5kdc -n
diff --git a/pmm_psmdb_diffauth_setup/conf/mongod.conf b/pmm_psmdb_diffauth_setup/conf/mongod.conf
index d83b3d8..125aa69 100644
--- a/pmm_psmdb_diffauth_setup/conf/mongod.conf
+++ b/pmm_psmdb_diffauth_setup/conf/mongod.conf
@@ -26,11 +26,11 @@ security:
     validateLDAPServerConfig: false
     transportSecurity: none
     servers: ldap-server:1389
-    userToDNMapping: '[{match: "arn:aws:iam::(.+):user/(.+)|CN=(.+)", substitution: "cn={1}{2},ou=users,dc=example,dc=org"}]'
+    userToDNMapping: '[{match: "arn:aws:iam::(.+):user/(.+)|CN=(.+)|([^@]+)@PERCONATEST.COM", substitution: "cn={1}{2}{3},ou=users,dc=example,dc=org"}]'
     authz:
        queryTemplate: 'dc=example,dc=org??sub?(&(objectClass=groupOfNames)(member={USER}))'
 setParameter:
-  authenticationMechanisms: SCRAM-SHA-1,PLAIN,MONGODB-X509,MONGODB-AWS
+  authenticationMechanisms: SCRAM-SHA-1,PLAIN,MONGODB-X509,MONGODB-AWS,GSSAPI
 
 replication:
   replSetName: rs0
diff --git a/pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml b/pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml
index 5ac5ff6..061a7ec 100644
--- a/pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml
+++ b/pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml
@@ -42,12 +42,14 @@ services:
       - -c
       - |
          cp /mongodb_certs/ca-certs.pem /etc/pki/tls/certs/
+         chown -R mongod:mongod /keytabs
          exec /usr/sbin/init
     volumes:
       - ./conf:/etc/mongod
       - ./certs:/mongodb_certs
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       - 'psmdb-server-data:/data/db'
+      - keytabs:/keytabs
       - ../pmm_psmdb-pbm_setup/conf/datagen:/etc/datagen:ro
     privileged: true
     cgroup: host
@@ -62,6 +64,8 @@ services:
     depends_on:
       pmm-server:
        condition: service_healthy
+      kerberos:
+       condition: service_healthy
 
   pmm-server:
     container_name: pmm-server
@@ -96,6 +100,23 @@ services:
     volumes:
       - 'openldap-data:/bitnami/openldap'
 
+  kerberos:
+    image: kerberos/local
+    build:
+      dockerfile: ./Dockerfile-kerberos
+      context: .
+    container_name: kerberos
+    hostname: kerberos
+    environment:
+      - "KRB5_TRACE=/dev/stderr"
+    volumes:
+      - keytabs:/keytabs
+    healthcheck:
+      test: ["CMD", "kadmin.local", "-q", "listprincs"]
+      interval: 2s
+      timeout: 1s
+      retries: 5
+
   minio:
     image: minio/minio
     container_name: minio
@@ -128,3 +149,5 @@ volumes:
     driver: local
   openldap-data:
     driver: local
+  keytabs:
+    driver: local
diff --git a/pmm_psmdb_diffauth_setup/test/test.py b/pmm_psmdb_diffauth_setup/test/test.py
index 0cf308b..61f2251 100755
--- a/pmm_psmdb_diffauth_setup/test/test.py
+++ b/pmm_psmdb_diffauth_setup/test/test.py
@@ -58,6 +58,19 @@ def test_simple_auth_tls():
              '--tls --tls-certificate-key-file=/mongodb_certs/client.pem --tls-ca-file=/mongodb_certs/ca-certs.pem '
              '--cluster=mycluster')
 
+#####
+# All tests for external authentication methods (LDAP, Kerberos, AWS) rely on the `mongod` configuration to handle
+# authentication using the selected method, followed by authorization via LDAP.
+#
+# Therefore, no users are added to `$external` database before testing. Instead, after successful authentication
+# against the selected service, the username is transformed based on the pattern below to match LDAP user
+# `cn=pmm-test,ou=users,dc=example,dc=org`.
+# This user is preconfigured on LDAP server and, after authorization, inherits the privileges assigned in
+# MongoDB to its default group, `cn=readers,ou=users,dc=example,dc=org`.
+#
+# Transformation pattern from `mongod` configuration:
+# [{match: "arn:aws:iam::(.+):user/(.+)|CN=(.+)|([^@]+)@PERCONATEST.COM", substitution: "cn={1}{2}{3},ou=users,dc=example,dc=org"}]
+#####
 
 def test_x509_auth():
     run_test('pmm-admin add mongodb psmdb-server --host=psmdb-server --port 27017 '
@@ -80,6 +93,11 @@ def test_ldap_auth_tls():
              '--tls --tls-certificate-key-file=/mongodb_certs/client.pem --tls-ca-file=/mongodb_certs/ca-certs.pem '
              '--cluster=mycluster')
 
+def test_kerberos_auth_wo_tls():
+    run_test('pmm-admin add mongodb psmdb-server --username="pmm-test@PERCONATEST.COM" --password=password1 '
+             '--host=psmdb-server --port 27017 '
+             '--authentication-mechanism=GSSAPI --authentication-database=\'$external\' '
+             '--cluster=mycluster')
 
 @pytest.mark.skipif(
     any(not os.environ.get(var) for var in env_vars) or os.environ.get('SKIP_AWS_TESTS') == 'true',

From 4a5c904254f6fe56dfc4fef87dac6bd4a36a2373 Mon Sep 17 00:00:00 2001
From: Sandra <sandra.romanchenko@percona.com>
Date: Wed, 12 Feb 2025 18:36:15 +0200
Subject: [PATCH 2/2] PSMDB. Use latest openldap, fix LDAP group, do not fail
 on the first failure

---
 pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml | 2 +-
 pmm_psmdb_diffauth_setup/init/setup_psmdb.js          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml b/pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml
index 061a7ec..f152c10 100644
--- a/pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml
+++ b/pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml
@@ -88,7 +88,7 @@ services:
   ldap-server:
     container_name: ldap-server
     hostname: ldap-server
-    image: bitnami/openldap:2
+    image: bitnami/openldap
     environment:
       - LDAP_ADMIN_USERNAME=admin
       - LDAP_ADMIN_PASSWORD=adminpassword
diff --git a/pmm_psmdb_diffauth_setup/init/setup_psmdb.js b/pmm_psmdb_diffauth_setup/init/setup_psmdb.js
index 8f1c8fe..3614f54 100644
--- a/pmm_psmdb_diffauth_setup/init/setup_psmdb.js
+++ b/pmm_psmdb_diffauth_setup/init/setup_psmdb.js
@@ -26,7 +26,7 @@ db.getSiblingDB("admin").createRole({
     roles:[]
 });
 db.getSiblingDB("admin").createRole({
-     role: "cn=readers,ou=users,dc=example,dc=org",
+     role: "cn=readers,ou=groups,dc=example,dc=org",
      privileges: [],
      roles: [
        { role: "explainRole", db: "admin" },